CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
5. Page 5
Hackers will often focus on
applications (software)
when they are attempting to
breach network security.
Because of this, application developers need to focus
on security controls right from the beginning of
developing the application. This is the idea of using
secure coding concepts.
An application designed with security in mind is much
easier to defend than an application that doesn’t use
such methods. Two of the main concepts of secure
coding are: error and exception handling and input
validation.
Application security controls and techniques.
6. Page 6
Application security controls and techniques.
– Error handling.
» Thoroughly testing applications will catch most errors, with the
possible exception of some runtime errors.
• Runtime errors are problems that occur during the operation
of an application.
• Many things can cause a runtime error. They include poor
programming, conflicts with other software (including
malicious applications), and conflicts with hardware.
» The developer should put processes in place that trap all
runtime errors before such an error crashes the application.
• Trapping a runtime error requires that the developer intercept
the error and display a warning message before the error
causes the application to crash.
– Exception handling.
» A more advanced method of error handling.
• An exception is a different term for a runtime error.
» Exception handling code will use a try/catch block—try this
code and catch any errors that occur.
• Usually will provide a means of looping the program until the
error condition subsides.
7. Page 7
A major cause of runtime
errors and other security
issues in applications is
users inputting invalid data
into the application.
Secure coding requires that input validation be done before that
data is actually placed into the application. Input validation is
when the user supplied data is examined against a set of rules
that outline what type of data the application is expecting.
One method of testing input validation rules is to use fuzzing.
During the testing phase of the application, the developer will
input invalid or random data into the input fields in order to test
the input validation rules.
Application security controls and techniques.
9. Page 9
Application security controls and techniques.
– Client-side and server-side validation.
» Initial input validation should occur on the client (requesting
machine) before it is sent to the application on the server.
• This can help to prevent a runtime error or exploit on the
server and reduces the amount of traffic that is crossing a
network.
» Additional input validation should occur at the server (receiving
machine) before the input is passed on to the application—
further reducing the chances of a runtime error or an exploit
occurring.
– Cross-site scripting (XSS) prevention.
» XSS occurs when a hacker inserts script code into a form on a
website so that when other users access the form, the script is
executed.
• Proper input validation of data is usually an effective means of
preventing XSS from occurring.
10. Page 10
Application security controls and techniques.
– Cross-site request forgery (XSRF)
prevention.
» XSRF is when a user is automatically directed to a linked Web
page and logged in using data supplied by a cookie from the
original page—when this was not the Web developer’s intent.
• Web developers can help to prevent XSRF from occurring by
setting a short expiration time for cookies.
• User can help prevent XSRF by choosing not to have a
website automatically log them in when they visit the site.
– Application configuration baseline.
» The initial setting up of an application (the baseline) should be
done with security in mind.
• The baseline should be as secure as possible.
– Application hardening.
» Disabling all features and functions that users should not be
allowed to use (e.g., disabling an application’s ability to use
FTP).
• Should initially be done during the configuration process.
11. Page 11
Application security controls and techniques.
– Application patch management.
» New exploits and threats against applications are created all
the time, requiring that applications be updated on a regular
basis.
• Patches are used to fix problems (e.g., security issues) that
were unknown at the time the application was developed.
» Caution: just as with operating system patches, application
patches must be tested before being deployed into a production
setting.
– SQL vs. NoSQL databases.
» SQL databases are the most common relational database
management system used today.
• They are optimized for the inserting and updating of records in
a database.
» NoSQL databases are designed to store and retrieve large
amounts of data—big data.
• They must be optimized for the retrieval of big data, and
require different methods of input validation than a SQL
database.
12. Page 12
Application security controls and techniques.
Application security controls need to begin with the application’s developer
using secure coding methods. The two main concepts used in secure
coding are: error and exception handling and input validation. Error and
exception handling are how an application will deal with a runtime error.
Input validation is a method used to prevent users from inputting invalid
data into an application, which may cause a security issue or runtime error.
Topic
Secure coding concepts.
Summary
Client-side and server-side validation should both be used to prevent
application problems. Input validation can be used to prevent XSS from
occurring. XSRF prevention requires actions from both the user and the
Web developer. An application’s configuration baselines should be set to
the highest level of security and include application hardening techniques.
All applications should be patched as required to maintain security. SQL
databases and NoSQL databases are used to perform different functions
and require different methods of application security controls.
Other security controls,
techniques, and concepts.
14. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.